Careers: Interviews Laura Chappell: Internationally Renowned
Sr. Protocol/Security Analyst and Founder of the Protocol Analysis
Institute LLC, and Co-founder of the Internet Safety for Kids
Project
This week, Stephen Ibaraki, I.S.P., DF/NPA,
CNP, MVP has an exclusive interview
with Laura Chappell, recipient of the �2005 International Professional
Excellence and Innovation Award � Independent Network Contractor� founded by
the NPA in 2002 and given out at the largest networking industry conference,
Networld+Interop (now called Interop) Las Vegas.
Laura is the Founder and Senior Protocol/Security Analyst
for the Protocol Analysis Institute, LLC, www.packet-level.com. Moreover, Laura is a widely regarded
speaker and best-selling author of numerous industry titles on network
communications and analysis. Her top-ranking speaking engagements include
Microsoft�s Technet and TechEd Conferences, Novell�s BrainShare Conferences,
and the HP Enterprise Technical Symposium. Ms. Chappell is also the founder of
and Technical Advisor for podbooks.com, an Internet-based publishing company
focused on packet-level communications and security. In addition, Ms. Chappell
writes and provides content for a number of industry publications. In
2005, Ms. Chappell released her Master Library encompassing all books,
self-study courses, video-courses and trace file interpretations. For more
information on podbooks.com, visit www.podbooks.com. For more information on the Laura Chappell Master Library, visit www.packet-level.com/library.
Internationally renowned, Laura has trained thousands of
LAN/WAN administrators, law enforcement officers, engineers, technicians and
developers worldwide. Chappell is a member of the High Technology Crime
Investigation Association (HTCIA) and an Associate Member of the Institute for
Electrical and Electronic Engineers (IEEE) since 1989.
Through the Protocol Analysis Institute, LLC, Chappell
founded the Internet Safety for Kids program in 2005. This program
provides education and presentation services on online predators, safe Internet
communications and parental and law enforcement resources. For more information
on the Internet Safety for Kids program, visit www.packet-level.com/kids
or contact Ms. Chappell at kids@packet-level.com
Discussion:
Q: Laura: thank you for taking time out of your very busy
schedule to do this interview.
A: Thanks so much for asking me � I�m certain you will
have some interesting questions for me, Stephen.
Q1: Critical information leaks of intellectual property are
a growing area of concern. What are your views on managing this area?
A:� Regardless of
privacy issues, IT managers must monitor employee communications to protect
corporate assets and network efficiency. The users will certainly scream about
their �privacy� being invaded, but the bottom line of the business depends on
optimizing and securing the network. It�s time for the IT manager and
CEO/CIO/CTO to get on the same page with regard to monitoring employee activity
on the network and the actions they will take when misuse is discovered. (There
are concerns to monitoring employee activities � see http://www.cio.com/archive/051505/monitor.html.)
Q2: Can you expand on the privacy issue and how
corporations can meet this challenge?
A: Ahh� this topic always gets people heated up, but I am
a big proponent of monitoring employees� network/computer use.
The 2005 Electronic Monitoring and Surveillance Survey conducted
by the American Management Association (AMA) indicated that nine out of ten
companies monitor their employees in some way or another (video surveillance,
Internet use, phone use, etc.). [See www.amanet.org.]
With network abuse sucking the productivity out of a corporation and corporate
intellectual property and confidential information leaking out, it is no wonder
that monitoring was put into place. The 2005 CSI/FBI Security Survey indicated
that insider abuse of Internet access ranked number one in types of abuse or
attacks. Unauthorized access to information ranked fourth and theft of
proprietary information ranked seventh. [See www.gocsi.com.]
It�s not just resource abuse that is a catalyst for
employee monitoring � protection of corporate assets and even the protection of
the employees� own confidential records may spur a corporation on to watch
what�s flowing in and out of their network.
To address the need for monitoring with the employees�
concerns for privacy, corporations need to educate employees on why monitoring
is necessary to protect the corporation and the employees themselves. If
management simply announces a �big brother policy� one day to employees, they
could risk leaving such a bad taste in the employees� mouths that the
monitoring could cause an immediate reduction in productivity. No one wants to
work in an environment where they feel they are being controlled and
manipulated with no voice or inside knowledge of why decisions are made! That
reminds me of my years at Catholic boarding school � whatever Sister Gerald
said was law. In that case, I can certainly understand why I was being watched
like a hawk (I was just up to no good), but I felt persecuted.
Corporations also need to be aware that they may be held
liable for the failure to investigate an employee�s use of a computer to
perform some criminal activities, such as viewing child pornography. On
December 27, 2005, the New
Jersey�s Appellate Division held
that an employer has an affirmative duty �to investigate the employee�s
activities and to take prompt and effective action to stop the unauthorized
activity, lest it result in harm to third parties.� [Doe v. XYC Corporation [2005 WL 3527015]. In this case, XYC
Corporation monitored an employee�s surfing habits and noted that the employee
was surfing porn sites � the names of the websites implied that at least one of
the sites was a child pornography site. Sure enough, they found nude pictures of his minor stepdaughter on his drive. Some companies seem
to think that they only need to act if they are a mandated reporter. Wrong (in
so many ways).
Employers and IT staff need to determine now what they
will do if they find such criminal activity taking place on the network. I
recommend they review their monitoring policies, educate users on the need for such
monitoring and then diligently enforce those policies � don�t just fire the
employee and let them continue their activities in another company. In
addition, those companies need to make their law enforcement contacts now �
don�t wait until an incident arises and you find yourself cold-calling some
local cybercrime task force. Membership in an organization such as the High
Technology Crime Investigation Association (HTCIA) can help formulate those law
enforcement/private sector relationships and be invaluable when questions
regarding possible criminal activity, evidence collection and prosecution
guidelines surround the company.
Q3: Wireless networks are growing rapidly. Being specific,
what are the security concerns and the best solutions to these concerns? Can
you detail the �War Driving Project� in Australia?
A: Some of my most interesting trace files involve
wireless communications! One area I�ve been particularly interested in is �open
wireless networks.� Think trade shows. Think VIP clubs at the airport. Think
McDonalds and Starbucks. These wireless networks are intentionally open to
provide convenient Internet access to attendees and customers. You can warn
people against sending unsecured information over these networks, but they just
don�t seem to think anyone is listening. Guess what? We are. I remember sitting
in an American Airlines Admirals Club with my kids. A �3-piece suiter� sat next
to me � apparently wondering why I would be allowed to bring my kids into the
VIP lounge. If only I could have told him that I was actually sniffing all his
traffic as he sent cleartext communications to his office talking about release
dates for unannounced products! Even at a conference attended primarily by law
enforcement officers I was able to get a bucket of passwords and a steamy
Instant Messenger (IM) session.
In the War Driving Project conducted in Australia, we had a group war
drive the top cities including Sydney, Melbourne, Adelaide, Canberra and Brisbane. We found numerous networks with WEP disabled, but more disturbing � we
found numerous networks with WEP enabled, but no other level of security put in
place. Really now � it�s like putting taping a sign that reads �authorized
entry only� across the front door of your house but leaving the door unlocked.
WEP is not sufficient to secure wireless networks. In many cases we found the
access points still set for the default configurations!
Enabling MAC address filtering is a joke. With a wireless
analyzer, anyone can determine the MAC address of �privileged computers� and
spoof those MAC addresses to gain entry.
Corporations need to change the default admin password on
their access points, identify rogue access points on the network, look into
WPA2 with decent keys, authenticate wireless users with protocols like EAP and
use encryption (such as SSH) for all applications that cruise across the
wireless network. In addition, the wireless network traffic should be encrypted
using a VPN and regularly test their wireless network security.
Q4: Which best-of-breed technology do you recommend for
monitoring network communications? How do you see this technology evolving by:
2007, 2010, 2012?
A: I have been fortunate enough to work with a variety of
network analyzers, flow analyzers and anomaly-detection tools. One such tool
actually grouped network devices based on their typical communication patterns.
Others can perform content monitoring based on binary signatures, thereby
thwarting the old �rename the file� and �alter the file extension� trick.
Although many of these tools require passive access to the data flowing through
the network, host-based monitoring tools allow you to look directly at the
desktops to see what�s installed there before it�s encrypted and sent over the
wire. Of course email monitoring is a must as well.
I think monitoring will increase in ease-of-use and
automation with a combination host/network monitoring solution linked to
regulatory compliance. In addition, I�d like to see these tools offer some
proactive auditing functions to identify software and hardware throughout the
company and provide anomaly-detection when new software is loaded on a system
or new hardware is found.
Again, all this must be implemented without coming across
as �big brother.� Companies have got to get across to the employees that they
are not just looking for the one bad apple, but also contractors, vendors,
temporary employees and management (who have a tendency to bring in very dirty
laptops after a weekend of net gaming.)
Q5: Can you elaborate on your recommended policies for
processing employees engaging in illicit activities?
A: First and foremost, you need to lay the groundwork.
You need to get your law enforcement contacts in place. By joining an
organization such as HTCIA or Infraguard, you can begin to develop those
contacts and hear how other organizations are dealing with employee illicit
activities. Chances are good that someone is going to have a war story to share
with you if you show interest in learning more. In many cases, my customers
have found something they are concerned about and they have asked me to �run it
by your law enforcement buddies� to find out what their next steps should be
and locate forensic investigators to handle their case.
Companies need to perform a risk assessment by defining
their corporate assets (not just digital information assets such as the
customer or employee database and proprietary corporate information, but also
the non-tangible assets such as company reputation and ethical standards). Once
the company knows what they are protecting, they should have a clearer sense of
how to protect those assets.
Employee buy-in is critical � a simple training video
covering some of the cases listed on the Department of Justice Cybercrime and
Intellectual Property Section (CCIPS) Computer Intrusion Case page (see www.cybercrime.gov/cccases.html).
Now you�ve given me another idea, Stephen � record a
simple presentation on the need for employee monitoring based on the CCIPS
cases! Thanks!
Q6: What pointers can you provide to IT Managers about security
and packet-level analysis?
A: Packet-level analysis is a fancy way of saying network
wiretapping (or wirelesstapping in the case of 802.11 networks). Although it is
a tremendous tool for troubleshooting, it can also be used as an educational
tool (to see how the protocols and applications work). In the arena of
security, IT packet-level analysis enables us to see if an application is
transmitting data in plain text, whether we are being redirected when going to
a target system and identify the signatures of various attack tools and
spyware/malware/viral infections.
Whether the IT Manager purchases a commercial product
such as Network General�s Sniffer or WildPacket�s EtherPeek/AiroPeek, or they
allow their IT team to use a GNU-licensed software such as Ethereal, they
should ensure their team knows how the protocols work on the wire and what
faulty communications look like. Strong security knowledge must sit on top of a
solid grasp of the TCP/IP protocol stack, (including ARP, IP, TCP, UDP and ICMP
at least), and the common applications � such as FTP, HTTP, POP3, telnet and
SMTP.
When a network breach occurs, a packet-level analyst (aka
protocol analyst or network analyst) can differentiate between normal and
abnormal traffic and often identify exactly what tool is being used against the
target and what security holes are exploited.
Q7: Can you share three case studies illustrating a major
challenge, solutions considered, the final option implemented and any metrics
to support the final decision? Also include the reasons why the other solutions
were not utilized.
A: �Case Study 1:
In the area of optimizing network communications, I
worked with a company that reported terrible response times accessing the
Internet. They were considering placing a caching server inside the firewall to
improve performance. When we tapped in to watch all traffic through the
firewall we found that approximately 80% of the traffic was non-work related
traffic with a high number of video porn downloads. This was at the time the
Pamela/Tommy Lee video was a hot item on the Internet. The caching server would
have certainly improved performance, (bringing these porno videos in-house for
local distribution), but the underlying problem was the employees� use of the
company network. We could use the employee salary information and the actual
data flows to show the loss in productivity caused by the network abuse. In
addition, those employees who loaded down the Internet link were affecting
everyone else�s communications.
Case Study 2:
In another case, a company was using content filtering at
the Internet border to watch for and block specific key words from crossing the
firewall. They�d implemented this solution to stop their users from accessing
specific non-work related sites. They complained of lackluster Internet access
times. When we examined the traffic going through the firewall we noticed over
a 1 second delay crossing the firewall. When we removed the content filtering
the network cranked up to proper speeds. A review of the content filtering
configuration showed the firewall had not been configured properly � it was
searching for thousands of words when a simple set of bogus DNS entries would have
blocked undesired access. Again, I used an ROI calculator to estimate the
amount of time they wasted each day as their packets crawled through the
improperly-configured firewall.
Case Study 3:
In one instance, a company had systems crashing left and
right � it appeared they would work fine for about 3 minutes and then CPU
utilization would reach 100% and then the systems would lock up. The local team
kept cleaning malware off the systems, but that didn�t seem to stop the
problem. Boot up traces of the problem systems showed us exactly how the
malware was updating itself and we could block it at the firewall to prevent
further infections. Considering how many systems were affected from this
problem, the monetary loss was evident to the company. Proof again that seeing
the problematic traffic can lead you to a security solution that is specific to
that particular problem.
Q8: What sort of network traffic patterns would you
consider unusual?
A: That is a pretty broad question. Every network is
different � roundtrip times are different, network paths are different, boot up
and login sequences are different. The local IT team needs to baseline these
things to differentiate between what�s normal to them today and what traffic
looks like when things go wrong on the network.
There are some general issues I always look for. For
example, �noise.� By just placing an analyzer off a switch port I can see the
�background� broadcast and multicast traffic as well as traffic that is
forwarded down the port because the switch doesn�t know what to do with it.
Any traffic going to unassigned IP addresses is a bad
sign as well. Every network has something called �dark IP addresses� � those
are the IP addresses that fall within your network IP address range, but are
not assigned to any device. No one should be talking to these dark IP
addresses! Traffic to those addresses is probably part of a network scan or
reconnaissance process.
Excessive amounts of ICMP port unreachable messages would
also indicate a problem � either a configuration problem or a UDP-based scan
underway. ICMP redirects are another type of traffic that I wouldn�t want to
see� or excessive TCP SYN/RST combinations (a sure sign of a TCP scan)� or ICMP
type 13, 15 or 17 packets (used in active OS fingerprinting)� how much time do
we have?
Connection attempts to a client system would seem a bit
odd to me since clients typically don�t host server daemons and processes. That
would raise my curiosity.
Q9: What specific hardware and software would you recommend
for a security toolkit?
A: First of all, the security toolkit should be a
separate computer from your regular production machine. The tools that we run
on the toolkit systems can be a bit temperamental or experimental. In the
Network Analysis and Security Toolkit course, each student receives a preconfigured
dual-boot laptop with forensic software (Forensic Toolkit), password crackers
(including Brutus), honeypot software (Specter/Windows and honeyd/Linux) and
the entire Security Auditor suite. The system should have as much memory and
hard drive space as you can afford, wireless and Bluetooth built-in (if you
want to do Bluetooth scanning).
Having a dual-boot system is a must now (or a VMWare
platform to run both Windows and Linux tools from). Lots of the tool binaries
are easily available for one or the other platform and not all binaries for
each platform are equal. Ethereal, for example, is a tool that I would use for
wired analysis on the Windows side, but it doesn�t fully support wireless
analysis on the Windows side � for that we using Ethereal over Linux.
We�re just getting ready to put together the second
version of the Network Analysis and Security Toolkit course � system
specifications (including hardware and software specs) will be online at www.hotlabs.org/toolkit.
Q10: What is the value in knowing ICMP inside and out for troubleshooting,
optimization and security?
A: ICMP (Internet Control Message Protocol) is a gem of a
protocol. I can watch the ICMP traffic on a network to identify
misconfigurations, blatant attacks, fingerprinting, scanning and more. One good
place to start learning about it is in RFCs 792 and 1256 (available at www.rfc-editor.org). [For more
information on the significance of Jon Postel as the author/editor of this RFC
� see www.postel.org]
Q11: What are the best ways to perform a security
vulnerability audit on your network?
A: Well, Stephen, there are so many ways to go about this
so I�ll just start spewing out options and let your readers find their
pertinent nuggets in the flow:
Identify assets (risk assessment)
Prioritize the audit focus (separate the task into
smaller chunks)
Differentiate between intrusive and non-intrusive audit
procedures
Map the network from outside and inside the firewall
Audit server and client software and hardware
Examine software/hardware audit results against an
�acceptable� list
Examine log files and log file usage
Audit routers, firewalls and critical infrastructure
devices
Verify system and user configurations
Audit application traffic for cleartext data transfer or
unusual dependencies
Audit all network access points (dial-in, wireless,
tunnels, partner/consultant links)
Audit security training information for users,
management, consultants
Check against industry-known vulnerabilities
Audit antivirus and anti-spyware capabilities and status
Audit patch and fix levels for hosts and servers
(multiple OS types too)
Q12: Can your share your viewpoints and recommendations on
the following...?
Voice over IP:
VoIP is a hot technology � and a scary one. Consider the
nightmare of early implementations of WLAN technology � people were throwing up
access points left and right and marveling at the freedom of the wireless
world. Then came a slap across the face � it wasn�t secure.
We can, and should look at VoIP technology as simply an
application � how secure is the application? Are there VoIP viruses, worms,
malware and denial of service attacks on the horizon? Of course there are! And
what is the downside when VoIP service is not available because of one of these
problems? No phone service to or from the corporation? Nobody home at the call
center? No access to 911? What is the cost of such downtime?
Remember that VoIP doesn�t handle latency well either� if
we merge the data and voice network and there is significant overload on the
data side, what will that do to the VoIP side? We all know how it feels to make
an international call and have such high latency that each side is talking over
each other � what an irritating pain!
What about interception? Imagine if someone could listen
in on your phone calls? Encryption may inject unwanted latency into the calls.
Serious thought needs to go into the notion of a
full-blown VoIP dependency for phone service.
Security tools and tricks:
Every network/security analyst should have the most
up-to-date bag of hacker tools and tricks on a dedicated system. Only by
knowing those tools inside and out can we identify their signatures and stop
them in their tracks. In addition, companies need to maintain a security lab
for vulnerability and tool testing � running a full Nessus audit on a
production server can be a precursor to that new job you�ve never wanted.
Network
analysis, forensics, and host forensics:
I believe all IT security specialists should have a solid
grasp of network forensics. What�s normal traffic and what�s not normal
traffic? In addition, these specialists should know how to perform at least a
cursory host forensic evaluation (check out Incident
Response and Computer Forensics, Second
Edition by Chris Prosise, Kevin Mandia and Matt Pepe).
Q13: What are the top ten resources for IT Managers?
A:
- Their IT team - if they don�t have a strong cohesive
team that�s on the same page, it�s game over! All the remaining items are not
in any particular order.
- Membership (directly or via IT team member) in HTCIA �
to prepare for the day they may need inside law enforcement contacts.
- Strong security and use policies with the backing and
support of upper management, again, they need to be on the same page on their
policies or the IT team is a lame duck.
- The right tools in the right hands � not all IT team
members are generalists � if someone excels in a particular area have them
focus on it, but require cross training.
- A trusted forensic investigator (internal or outside).
- A trusted network analyst (internal or outside).
- A distributed monitoring system that can identify and
report on anomalies, privileged file access or failed access attempts.
- A good training/conference budget to keep themselves
and their IT staff up-to-date on the latest issues, technology and solutions.
- Access to senior management to discuss, educate and
collaborate on desired technology requests, expected performance and implied
security risks.
- A good sense of humor.� Networking is not pretty.
Q14: Laura, look into your crystal ball and provide your
top industry predictions.
A:
- Employee monitoring will become more commonplace
(especially in the US) and we�ll see more court cases backed by monitoring data.
- VoIP will continue to grow, but a few stumbles along
the way will make corporations a bit gun shy.
- Ethereal going commercial � sigh.
- All-in-one hacking kits and security auditing tools will be the rage � no more scrounging for just the right tool for the single
job.
- Faster, smaller, smarter and more automated networks,
computers, applications.
- Litigation linked to corporate negligence in the
security arena leading to identity theft � potentially the fall of a major
corporation.
- US and international laws mandating the reporting of
child pornography storage, transfer, manufacture and distribution for
corporations.
- The PATRIOT act will remain in place much longer than anyone thought it could.
- I�ll stop looking over my shoulder for Sister Gerald (grin).
Q15: A passion for you is the Internet Safety for Kids
Program. How is the program expanding and what goals do you have for the
program in 2006 and 2007?
A: The Internet Safety for Kids (ISK) project is near and
dear to my heart, Stephen � thanks for bringing it up. In 2006, Brenda Czech
(co-founder) and I plan to continue to update the �Internet Safety for Kids�
book, (which is free online at www.packet-level.com/kids),
with the latest cases, predator profile information and protection methods.
Ideally we�d like to publish the book in a more traditional book form to
support development efforts and reach a non-technical audience. We�ll keep the
master slide set up to date and freely available online for anyone who wants to
present the topic in their local communities.
In addition, this year we will begin the
internationalization of the materials with the translation into numerous
languages with local case and legal information. We will continue to create
strong collaborative ties with independent, charitable, local, state, federal
and international organizations focused on protecting children on and off-line.
We will also continue to create fictitious child victims online and document
our findings on predator tactics.
By 2007 we hope to have the ISK video courses online and
orderable on DVD for wider distribution. We�ll look to the corporate sector for
support in getting the information developed and delivered to a wider audience.
Although I wish I could focus on this project full-time, we�ve funded the
program ourselves to date and find we need more partners to reach a larger
audience.
Q16: You are a strong advocate for a higher penetration of
women in the industry. What steps would you recommend to increase participation?
What actions can corporations take?
A: In an ideal world we would have a fair balance of all
races, creeds and sexes in the industry; that�s just never going to happen. I
don�t point toward the corporations and demand that they �hire a certain percentage
of women� � that sounds like reverse discrimination to me. These corporations
need to hire the best person for the job. I think the responsibility of
improving the situation rests on the shoulders of the women themselves � the
Women in Technology (WIT) organization offers job listings, technology
training, conferences and other resources (see www.witi.org
for more information). As an example, when I sat on a women�s technology panel
at a conference in 2005 an attendee asked why a representative of a technical
organization looking for officers was not there at the luncheon to consider
some of the women in the room. My response was � �why aren�t you at their booth
asking about the requirements for the position � you can bring this information
back to share � they shouldn�t have to go out of their way to be here just
because you are a woman.�
In addition, we really need to nurture young girls into
technology � excite them about science and technology, not fashion. I detest
going to my daughter�s school to find the girls wearing and carrying pink items
and bringing Barbie dolls into the classroom � guess what Mom and Dad? You just
cut your daughter�s earning power in half! If, as a parent you are not tech
savvy, go to the kids� science section in the bookstore and read with your
kids. Why not read a book on quasars, black holes, how radar works, the space
program, what pi is? Scientific American is still one of the best magazines to
give a kid � boy or girl!
Now you�ve given me an idea � to write a book of
techno-savvy bedtime stories for kids and non-tech savvy parents� hmmm�.
Q17: Choose three topics of your choosing and providing
commentary.
A: 1) Topic 1:
I would like to see corporations address
the issues of child pornography and have a clear cut �no tolerance� policy for
employees who create, download, distribute, store or perform any other activity
related to child pornography. Too many companies just sweep this under the rug
by a simple hand slap or quiet termination of an offender.
2) Topic 2:
I would like to see more technologists
explain to school kids what they do; in the US in
particular, we are falling behind in math and science. Many kids don�t know
that strong math and science skills can provide them with greater career
opportunities. Although a programmer may not think their job would be
interesting to a kid, consider the fascination of demonstrating a simple
program developed live � just a �hi world� demo. Then relate that to the
applications these kids use on a daily basis.
3) Topic 3:
Closer ties between the private sector and
law enforcement is necessary. Over the years I�ve become great friends with
lots of law enforcement folks who are just as overwhelmed with the technology
changes as we are. They, in turn, know the legal aspects of collecting evidence
and prosecuting cases. There is a gap between the two sectors that needs to be
bridged � I think organizations like the HTCIA are a good start.
Q: Laura, we appreciate you taking the time to do this
interview and wish you continued success in your many ventures.
A: Thanks so much, Stephen. I appreciate the
opportunity to share my thoughts and experiences with your audience. |